The November 2022 Android replace features a remediation for a bug that would enable an attacker to bypass the Google Pixel lock display screen.
The researcher behind the invention, David Schütz, reported the Google Pixel safety flaw again in June after a collection of errors led him to discovering the vulnerability. He had forgotten his PIN after his gadget ran out of battery and died. After reboot, Schütz entered an incorrect PIN quantity 3 times, triggering the SIM card to lock itself.
Fortunately, he defined in a weblog publish this week, he had the unique SIM packaging with the manufacturing facility private unlocking key (PUK) code to open the SIM card. From there he was capable of acquire entry to the gadget with out ever getting into the right PIN.
“After I calmed down a little bit bit, I spotted that certainly, this can be a bought d*mn full lock display screen bypass, on the totally patched Pixel 6. I bought my previous Pixel 5 and tried to breed the bug there as effectively. It labored too,” he wrote.
The Google Pixel lock display screen bypass vulnerability is tracked underneath CVE-2022-20465. Listed below are the bypass steps, in keeping with Schütz:
- Enter the fallacious PIN 3 times.
- Sizzling-swap the gadget SIM for an attacker-controlled SIM with identified PIN code.
- Enter the brand new SIM’s eight-digit PUK code.
- Enter the brand new gadget PIN.
- Presto! The gadget unlocks.
For his efforts, Schütz mentioned he was awarded a $70,000 bug bounty, together with bragging rights.